RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1823756 - Backport SameSite=None cookie from mod_auth_openidc upstream to support latest browsers [rhel-8]
Summary: Backport SameSite=None cookie from mod_auth_openidc upstream to support lates...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: mod_auth_openidc
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Jakub Hrozek
QA Contact: Scott Poore
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks: 1823762
TreeView+ depends on / blocked
 
Reported: 2020-04-14 12:27 UTC by Jakub Hrozek
Modified: 2021-05-18 16:13 UTC (History)
2 users (show)

Fixed In Version: mod_auth_openidc-2.3.7-8.module+el8.4.0+9707+f2438af7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1823762 (view as bug list)
Environment:
Last Closed: 2021-05-18 16:13:32 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Jakub Hrozek 2020-04-14 12:27:11 UTC
Description of problem:

With one of upcoming Chrome versions (used to be 80, but the change was rolled back in the meantime), Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections.


Version-Release number of selected component (if applicable):
mod_auth_openidc-2.3.7-3

How reproducible:
always

Steps to Reproduce:
1. inspect the HTTP headers
2. by default the headers must include SameSite=None
3. if http:// is used and not https:// you will get a 500 server error

Actual results:


Expected results:


Additional info:

Comment 8 Scott Poore 2021-02-02 22:40:33 UTC
Verified.

Version ::

mod_auth_openidc-2.3.7-8.module+el8.4.0+9707+f2438af7.x86_64

Results ::

OIDCClientID oidc_server.example.test-example_app
OIDCProviderMetadataURL https://oidc_server.example.test:8443/auth/realms/master/.well-known/openid-configuration
OIDCCryptoPassphrase a6efadba683c
OIDCClientSecret 7bff71d5ceb9
OIDCRedirectURI https://oidc_server.example.test:60443/private/redirect_uri
OIDCRemoteUserClaim preferred_username
OIDCSSLValidateServer Off
OIDCCookieSameSite Off

<Location /private>
    AuthType openid-connect
    Require valid-user
</Location>


<Location /oauth>
    AuthType oauth20
    Require claim email:testuser@master
</Location>

# Substitute the IDP name and the realm name. My realm is called federation.test. The rest is a well-known URI
OIDCOAuthIntrospectionEndpoint https://oidc_server.example.test:8443/auth/realms/master/protocol/openid-connect/token/introspect
# We'll be verifying the access token against the keycloak introspection point
OIDCOAuthIntrospectionEndpointParams token_type_hint=access_token
# This must match the client ID as set on the keycloak side
OIDCOAuthClientID oidc_server.example.test-example_app
# Grab the secret from the credentials tab of the client settings in keycloak
OIDCOAuthClientSecret 7bff71d5ceb9
# Otherwise the KC-issued JWT tokens are too large for the cache
OIDCCacheEncrypt On


Firefox:

HTTP/1.1 302 Found
Date: Tue, 02 Feb 2021 18:03:44 GMT 
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1g
Set-Cookie: mod_auth_openidc_state_u46beWlfearTUpU2sSO8HYwlW8M=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=None
Set-Cookie: mod_auth_openidc_session=8c5a08d1-381d-4a4e-8234-262ebfd5fd79; Path=/; Secure; HttpOnly; SameSite=None
Location: https://oidc_server.example.test:60443/private/
Content-Length: 255 
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding gzip, deflate, br
Accept-Language en-US,en;q=0.5
Cache-Control no-cache
Connection keep-alive
Cookie experimentation_subject_id=ImI0MTViYzJ...
DNT 1
Host oidc_server.example.test:60443
Pragma no-cache
Upgrade-Insecure-Requests 1
User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0


Chrome shows checked box for Secure and SameSite shows None when option Off and shows LAX when option On.

Comment 12 errata-xmlrpc 2021-05-18 16:13:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (mod_auth_openidc:2.3  bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1933


Note You need to log in before you can comment on or make changes to this bug.